arcvision 0.2.14 → 0.2.15

package/src/arcvision-guard.js

@@ -0,0 +1,433 @@
+#!/usr/bin/env node
+
+const { Command } = require('commander');
+const chalk = require('chalk');
+const path = require('path');
+const fs = require('fs');
+const crypto = require('crypto');
+const { execSync } = require('child_process');
+
+const program = new Command();
+
+program
+  .name('arcvision-guard')
+  .description('ArcVision Impact Guard - Enforce architectural safety')
+  .version('1.0.0');
+
+program
+  .command('check')
+  .description('Check current changes against architectural invariants')
+  .option('-d, --dir <directory>', 'Working directory', '.')
+  .option('-v, --verbose', 'Show detailed output')
+  .option('--fail-on-warnings', 'Exit with error code on warnings')
+  .option('--bypass-token <token>', 'Bypass token for overriding critical violations')
+  .action((options) => {
+    console.log(chalk.blue('🛡️  ArcVision Impact Guard'));
+    console.log(chalk.blue('Checking architectural safety...\n'));
+    
+    try {
+      // Load configuration
+      const config = loadConfig(options.dir);
+      
+      // Check for bypass token
+      const bypassToken = options.bypassToken || process.env.ARCVISION_BYPASS_TOKEN;
+      let bypassValid = false;
+      
+      if (bypassToken) {
+        bypassValid = validateBypassToken(bypassToken, options.dir);
+        if (bypassValid) {
+          console.log(chalk.yellow('⚠️  Bypass token detected - proceeding with caution'));
+        } else {
+          console.log(chalk.red('❌ Invalid bypass token - continuing with normal validation'));
+        }
+      }
+      
+      // Generate current context
+      console.log(chalk.gray('Generating current architectural context...'));
+      execSync('arcvision scan --output current-check.json', { stdio: 'inherit' });
+      
+      // Check for git changes if in a repo
+      let hasChanges = false;
+      try {
+        execSync('git diff --quiet HEAD', { stdio: 'pipe' });
+      } catch (error) {
+        hasChanges = true;
+      }
+      
+      if (hasChanges) {
+        console.log(chalk.gray('Comparing with HEAD context...'));
+        execSync('git stash push -m "temp-for-guard-check"', { stdio: 'pipe' });
+        execSync('git checkout HEAD --quiet');
+        execSync('arcvision scan --output head-context.json', { stdio: 'inherit' });
+        execSync('git stash pop --quiet', { stdio: 'pipe' });
+        
+        // Generate diff
+        execSync('arcvision diff head-context.json current-check.json --output guard-report.json', { stdio: 'inherit' });
+      } else {
+        // No changes, just validate current state
+        execSync('cp current-check.json guard-report.json', { stdio: 'inherit' });
+      }
+      
+      // Analyze report
+      const report = JSON.parse(fs.readFileSync('guard-report.json', 'utf8'));
+      const analysis = analyzeReport(report, config);
+      
+      // Display results
+      displayResults(analysis, options.verbose);
+      
+      // Handle bypass logic
+      if (analysis.criticalIssues.length > 0 && !bypassValid) {
+        console.log(chalk.red('\n❌ Critical architectural violations detected!'));
+        console.log(chalk.yellow('\nTo bypass this check (USE WITH EXTREME CAUTION):'));
+        console.log(chalk.yellow('1. Generate bypass token: arcvision-guard bypass-request'));
+        console.log(chalk.yellow('2. Use token: arcvision-guard check --bypass-token <generated_token>'));
+        console.log(chalk.red('\n⚠️  WARNING: Bypassing critical violations can break your system!'));
+        process.exit(1);
+      } else if (options.failOnWarnings && analysis.warnings.length > 0 && !bypassValid) {
+        console.log(chalk.yellow('\n⚠️  Warnings present (failing due to --fail-on-warnings)'));
+        process.exit(1);
+      } else if (analysis.warnings.length > 0 && !bypassValid) {
+        console.log(chalk.yellow('\n⚠️  Architectural warnings detected - review recommended'));
+        process.exit(0);
+      } else {
+        console.log(chalk.green('\n✅ No architectural issues detected'));
+        process.exit(0);
+      }
+      
+      // Cleanup
+      cleanupFiles(['current-check.json', 'head-context.json', 'guard-report.json']);
+      
+    } catch (error) {
+      console.error(chalk.red('Guard check failed:'), error.message);
+      process.exit(1);
+    }
+  });
+
+program
+  .command('bypass-request')
+  .description('Request a one-time bypass token for critical changes')
+  .option('-d, --dir <directory>', 'Working directory', '.')
+  .option('-r, --reason <reason>', 'Reason for bypass request')
+  .action((options) => {
+    console.log(chalk.blue('🛡️  ArcVision Bypass Request'));
+    
+    const reason = options.reason || 'No reason provided';
+    const timestamp = new Date().toISOString();
+    const hashInput = `${timestamp}-${reason}-${Math.random()}`;
+    const token = crypto.createHash('sha256').update(hashInput).digest('hex').substring(0, 32);
+    
+    // Store token info for validation
+    const tokenInfo = {
+      token: token,
+      reason: reason,
+      created: timestamp,
+      used: false,
+      expires: new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString() // 24 hours
+    };
+    
+    const tokensDir = path.join(options.dir, '.arcvision', 'tokens');
+    if (!fs.existsSync(tokensDir)) {
+      fs.mkdirSync(tokensDir, { recursive: true });
+    }
+    
+    const tokenFile = path.join(tokensDir, `${token}.json`);
+    fs.writeFileSync(tokenFile, JSON.stringify(tokenInfo, null, 2));
+    
+    console.log(chalk.green('\n✅ Bypass token generated!'));
+    console.log(chalk.yellow('\nToken:'), chalk.bold(token));
+    console.log(chalk.yellow('Reason:'), reason);
+    console.log(chalk.yellow('Expires:'), tokenInfo.expires);
+    console.log(chalk.red('\n⚠️  CRITICAL: This token can only be used ONCE and expires in 24 hours'));
+    console.log(chalk.red('⚠️  Use only for absolutely necessary architectural changes'));
+    console.log(chalk.yellow('\nUsage: arcvision-guard check --bypass-token'), chalk.bold(token));
+  });
+
+program
+  .command('bypass-status')
+  .description('Check status of bypass tokens')
+  .option('-d, --dir <directory>', 'Working directory', '.')
+  .action((options) => {
+    const tokensDir = path.join(options.dir, '.arcvision', 'tokens');
+    
+    if (!fs.existsSync(tokensDir)) {
+      console.log(chalk.yellow('No bypass tokens found'));
+      return;
+    }
+    
+    const tokenFiles = fs.readdirSync(tokensDir).filter(f => f.endsWith('.json'));
+    
+    if (tokenFiles.length === 0) {
+      console.log(chalk.yellow('No bypass tokens found'));
+      return;
+    }
+    
+    console.log(chalk.blue('🛡️  ArcVision Bypass Token Status'));
+    console.log(chalk.blue('==================================='));
+    
+    tokenFiles.forEach(file => {
+      const tokenInfo = JSON.parse(fs.readFileSync(path.join(tokensDir, file), 'utf8'));
+      const status = tokenInfo.used ? chalk.red('USED') : 
+                    new Date(tokenInfo.expires) < new Date() ? chalk.gray('EXPIRED') : 
+                    chalk.green('ACTIVE');
+      
+      console.log(`\nToken: ${file.replace('.json', '')}`);
+      console.log(`Status: ${status}`);
+      console.log(`Reason: ${tokenInfo.reason}`);
+      console.log(`Created: ${tokenInfo.created}`);
+      console.log(`Expires: ${tokenInfo.expires}`);
+      console.log(`Used: ${tokenInfo.used ? 'Yes' : 'No'}`);
+    });
+  });
+
+program
+  .command('setup')
+  .description('Initialize ArcVision Impact Guard in current repository')
+  .option('-f, --force', 'Force re-initialization')
+  .action((options) => {
+    console.log(chalk.blue('🔧 Setting up ArcVision Impact Guard...\n'));
+    
+    const arcDir = path.join('.', '.arcvision');
+    
+    // Check if already initialized
+    if (fs.existsSync(arcDir) && !options.force) {
+      console.log(chalk.yellow('ArcVision Impact Guard is already initialized.'));
+      console.log(chalk.yellow('Use --force to reinitialize.'));
+      return;
+    }
+    
+    // Create directory structure
+    if (!fs.existsSync(arcDir)) {
+      fs.mkdirSync(arcDir, { recursive: true });
+    }
+    
+    // Create tokens directory
+    const tokensDir = path.join(arcDir, 'tokens');
+    if (!fs.existsSync(tokensDir)) {
+      fs.mkdirSync(tokensDir, { recursive: true });
+    }
+    
+    // Copy configuration templates
+    const templateDir = path.join(__dirname, '..', '.arcvision');
+    if (fs.existsSync(templateDir)) {
+      copyFile(path.join(templateDir, 'config.json'), path.join(arcDir, 'config.json'));
+      copyFile(path.join(templateDir, 'invariants.json'), path.join(arcDir, 'invariants.json'));
+      console.log(chalk.green('✅ Configuration files created'));
+    }
+    
+    // Update .gitignore
+    updateGitIgnore();
+    
+    // Add to package.json if it exists
+    updatePackageJson();
+    
+    console.log(chalk.green('\n🎉 ArcVision Impact Guard initialized successfully!'));
+    console.log(chalk.yellow('\nNext steps:'));
+    console.log(chalk.yellow('1. Review .arcvision/config.json for project settings'));
+    console.log(chalk.yellow('2. Customize .arcvision/invariants.json with your architectural rules'));
+    console.log(chalk.yellow('3. Run: arcvision-guard check'));
+    console.log(chalk.yellow('4. For critical changes: arcvision-guard bypass-request --reason "your reason"'));
+  });
+
+program
+  .command('add-invariant')
+  .description('Add a custom architectural invariant')
+  .argument('<name>', 'Invariant name')
+  .argument('<description>', 'Invariant description')
+  .option('-s, --severity <level>', 'Severity (critical|warning)', 'warning')
+  .option('-c, --category <category>', 'Category (structural|domain|architectural|integration)', 'architectural')
+  .action((name, description, options) => {
+    const invariant = {
+      id: name.toLowerCase().replace(/\s+/g, '_'),
+      name: name,
+      description: description,
+      category: options.category,
+      severity: options.severity,
+      detection_pattern: "custom_pattern",
+      remediation: "Define appropriate remediation steps"
+    };
+    
+    const invariantsPath = path.join('.arcvision', 'invariants.json');
+    if (!fs.existsSync(invariantsPath)) {
+      console.log(chalk.red('❌ ArcVision not initialized. Run "arcvision-guard setup" first.'));
+      process.exit(1);
+    }
+    
+    const invariants = JSON.parse(fs.readFileSync(invariantsPath, 'utf8'));
+    invariants.project_specific_invariants.push(invariant);
+    
+    fs.writeFileSync(invariantsPath, JSON.stringify(invariants, null, 2));
+    console.log(chalk.green(`✅ Added invariant: ${name}`));
+  });
+
+// Helper functions
+function loadConfig(dir) {
+  const configPath = path.join(dir, '.arcvision', 'config.json');
+  if (fs.existsSync(configPath)) {
+    return JSON.parse(fs.readFileSync(configPath, 'utf8'));
+  }
+  return { guard_rules: {} };
+}
+
+function validateBypassToken(token, dir) {
+  const tokenFile = path.join(dir, '.arcvision', 'tokens', `${token}.json`);
+  
+  if (!fs.existsSync(tokenFile)) {
+    return false;
+  }
+  
+  const tokenInfo = JSON.parse(fs.readFileSync(tokenFile, 'utf8'));
+  
+  // Check if expired
+  if (new Date(tokenInfo.expires) < new Date()) {
+    return false;
+  }
+  
+  // Check if already used
+  if (tokenInfo.used) {
+    return false;
+  }
+  
+  // Mark as used
+  tokenInfo.used = true;
+  fs.writeFileSync(tokenFile, JSON.stringify(tokenInfo, null, 2));
+  
+  return true;
+}
+
+function analyzeReport(report, config) {
+  const criticalIssues = [];
+  const warnings = [];
+  
+  // Check blast radius changes
+  if (report.blast_radius_changes) {
+    report.blast_radius_changes.forEach(change => {
+      const threshold = config.guard_rules?.blast_radius?.critical_threshold || 50;
+      if (change.percentage_increase > threshold) {
+        criticalIssues.push({
+          type: 'blast_radius',
+          message: `High blast radius increase: ${change.file} (+${change.percentage_increase}%)`,
+          file: change.file
+        });
+      } else if (change.percentage_increase > 20) {
+        warnings.push({
+          type: 'blast_radius',
+          message: `Moderate blast radius increase: ${change.file} (+${change.percentage_increase}%)`,
+          file: change.file
+        });
+      }
+    });
+  }
+  
+  // Check invariant violations
+  if (report.invariant_violations) {
+    report.invariant_violations.forEach(violation => {
+      const issue = {
+        type: 'invariant',
+        message: `${violation.invariant_id}: ${violation.description}`,
+        file: violation.file
+      };
+      
+      if (violation.severity === 'critical') {
+        criticalIssues.push(issue);
+      } else {
+        warnings.push(issue);
+      }
+    });
+  }
+  
+  // Check authority core changes
+  if (report.authority_core_changes) {
+    report.authority_core_changes.forEach(change => {
+      criticalIssues.push({
+        type: 'authority_core',
+        message: `Authority core modified: ${change.file} - ${change.reason}`,
+        file: change.file
+      });
+    });
+  }
+  
+  return { criticalIssues, warnings };
+}
+
+function displayResults(analysis, verbose) {
+  if (analysis.criticalIssues.length === 0 && analysis.warnings.length === 0) {
+    console.log(chalk.green('✅ No architectural issues detected'));
+    return;
+  }
+  
+  if (analysis.criticalIssues.length > 0) {
+    console.log(chalk.red(`\n❌ Critical Issues (${analysis.criticalIssues.length}):`));
+    analysis.criticalIssues.forEach(issue => {
+      console.log(chalk.red(`  • ${issue.message}`));
+      if (verbose && issue.file) {
+        console.log(chalk.gray(`    File: ${issue.file}`));
+      }
+    });
+  }
+  
+  if (analysis.warnings.length > 0) {
+    console.log(chalk.yellow(`\n⚠️  Warnings (${analysis.warnings.length}):`));
+    analysis.warnings.forEach(warning => {
+      console.log(chalk.yellow(`  • ${warning.message}`));
+      if (verbose && warning.file) {
+        console.log(chalk.gray(`    File: ${warning.file}`));
+      }
+    });
+  }
+}
+
+function updateGitIgnore() {
+  const gitignorePath = '.gitignore';
+  const ignoreEntries = [
+    '# ArcVision Impact Guard',
+    '.arcvision/temp/',
+    '.arcvision/cache/',
+    '.arcvision/tokens/',
+    '*-check.json',
+    '*-context.json',
+    'guard-report.json'
+  ];
+  
+  let content = '';
+  if (fs.existsSync(gitignorePath)) {
+    content = fs.readFileSync(gitignorePath, 'utf8');
+  }
+  
+  const newEntries = ignoreEntries.filter(entry => !content.includes(entry));
+  if (newEntries.length > 0) {
+    fs.appendFileSync(gitignorePath, '\n' + newEntries.join('\n') + '\n');
+    console.log(chalk.green('✅ Updated .gitignore'));
+  }
+}
+
+function updatePackageJson() {
+  const pkgPath = 'package.json';
+  if (fs.existsSync(pkgPath)) {
+    const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+    pkg.scripts = pkg.scripts || {};
+    
+    if (!pkg.scripts['arcvision:check']) {
+      pkg.scripts['arcvision:check'] = 'arcvision-guard check';
+      pkg.scripts['arcvision:setup'] = 'arcvision-guard setup';
+      pkg.scripts['arcvision:bypass'] = 'arcvision-guard bypass-request';
+      fs.writeFileSync(pkgPath, JSON.stringify(pkg, null, 2));
+      console.log(chalk.green('✅ Updated package.json scripts'));
+    }
+  }
+}
+
+function copyFile(src, dest) {
+  if (fs.existsSync(src)) {
+    fs.copyFileSync(src, dest);
+  }
+}
+
+function cleanupFiles(files) {
+  files.forEach(file => {
+    if (fs.existsSync(file)) {
+      fs.unlinkSync(file);
+    }
+  });
+}
+
+program.parse();